"Penetrating defense" in-depth understanding of windows

Source: Internet
Author: User
Tags bitlocker recovery

Objective

This is the basic tutorial, with everyone to learn about Windows common users and user groups, the local extraction of user passwords, the remote use of hash log to the local crack hash. Initial knowledge of Windows basic security.

Directory

    • First section of Windows
    • Section II Windows password security
    • The third section uses the hash remote login system


Body

first section of Windows

1.1. What is window

Microsoft Windows, a set of operating systems developed by Microsoft in the United States, was invented in 1985 and was initially just a microsoft-dos simulation environment, and the subsequent system versions were not only easy to use because of Microsoft's ongoing update upgrade. It is also slowly becoming the most popular operating system for every household. Windows uses a graphical GUI, which is more user-friendly than the way the previous DOS requires typing instructions. With the computer hardware and software upgrading, Microsoft's Windows is also constantly upgrading, from the architecture of the 16-bit, 32-bit to 64-bit, the system version from the original Windows 1.0 to everyone familiar with Windows 95, Windows 98, Windows ME, Windows 2000, Windows 2003, Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, and Windows Server server Enterprise operating systems.


1.2. Common Windows users

    • SYSTEM: the user with the highest privileges on the local machine.
    • Administrator: The user with the highest privileges on the local machine.
    • Guest: Has relatively few permissions and is disabled by default.



1.3. Common Windows user groups

Administrators, Administrators group, by default, users in Administrators have unrestricted full access to the computer/domain. The default permissions assigned to the group allow full control of the entire system. Therefore, only trusted people can become members of this group.

Power Users, the advanced user group, can perform any operating system task other than the tasks reserved for the Administrators group. The default permissions that are assigned to the Power Users group allow members of the Power Users group to modify the settings for the entire computer. However, Power Users do not have the right to add themselves to the Administrators group. In the permission settings, the permissions of this group are second only to administrators.

Users: Normal user group, the user of this group cannot make intentional or unintentional changes. As a result, users can run validated applications, but they cannot run most legacy applications. The Users group is the safest group because the default permissions assigned to the group do not allow members to modify the operating system settings or user profile. The Users group provides the safest program run environment. On NTFS-formatted volumes, the default security settings are designed to prohibit members of the group from compromising the integrity of the operating system and installed programs. Users cannot modify system registry settings, operating system files, or program files. Users can shut down the workstation, but cannot shut down the server. Users can create local groups, but can only modify local groups that they create.

Guests: Guest group, by default, guest has equal access to members of normal users, but the Guest account has more restrictions.

everyone: As the name implies, all users, all users on this computer belong to this group.

1.4. Windows folder permissions

① Full Control:
This permission allows the user to control the folder, subfolders, files, such as modify the permissions of the resource, get the owner of the resource, delete the permissions of the resource, etc., have Full Control permission is equal to have all other permissions;


② modification (Modify):
This permission allows the user to modify or delete resources while allowing the user to have write and read and run permissions;


③ Read and run (Read & Execute):
This permission allows the user to read and list the resource directory, and also allows the user to move and traverse through the resource, which allows the user to access the subfolders and files directly, even if the user does not have permission to access the path;


④ List Folders directory (List folder Contents):
This permission allows the user to view subfolders and file names in the resource;


⑤ (Read):
This permission allows the user to view the files and subfolders in the folder, as well as to view the properties, owner, and permissions of the folder;


⑥ Write (Write):
This permission allows users to create new files and subfolders in the folder, to change the properties of the folder, to view the folder's owner and permissions, and so on.

Section II Windows password security

Tool one, quarks PwDump


Quarks PwDump is a System authorization information export tool in WIN32 environment, and no other tool can export such comprehensive information, support so many OS versions, and is quite stable. It can now be exported:-local accounts NT/LM hashes + history native NT/LM hash + historical login record –domain accounts NT/LM hashes + history domain NT/LM hash + historical Login Record the domain management password in the –cached domain password cache –bitlocker recovery information (Recovery passwords & key packages) using Bitlocker Supported operating systems for post-recovery legacy information: Xp/2003/vista/7/2008/81/usage

Instructions for use:

Quarks-pwdump.exe <options>options:-dhl--dump-hash-local-dhdc--dump-hash-domain-  Cached-DHD--dump-hash-domain (Ntds_file must be specified)-db--dump-BitLocker (Ntds_file must is SP ecified)-nt--ntds-file  file-hist--with-history(optional)if no=>  JOHN)if no=>stdout) example:quarks-pwdump.exe--dump-hash-domain--with-history

Tool two, Saminside

Saminside is a Russian-produced Windows password recovery software that supports the Windows Nt/2000/xp/vista operating system and is primarily used to restore the Windows user login password.

Instructions for use:

Import the Local system and files, of course, you can also import from the project files, files, note that the SAM file is the system Sam file, generally under the C:\WINDOWS\system32\config path, see:

Press the shortcut key "F4", depending on the password complexity, password length and machine performance, sometimes quickly wait until the result, if the time is too long, you can pause, save the cracked state for the next run.


Tool three, Mimikatz

What the great gods know, penetration testing is a common tool. A man of French cow B. A lightweight debugger that can help security testers crawl windows passwords.

Instructions for use:

Article One: Privilege::debug // Elevation permission second: Sekurlsa::logonpasswords //Crawl Password

First you need to know the number of bits of your operating system
Right-click My Computer properties

If your computer is 64-bit, it will be clearly labeled "x64", if not indicated, your computer is 32-bit.

The third section uses the hash remote login system


In the second section we get the hash:

44efce164ab921caaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4

Open Metasploit

Use Exploit/windows/smb/pse xec//No way, please remove the middle space, together will be blocked

Set the attack parameters

Set payload

What if I can't use it?


Local brute force hack hash


Local software download Rainbow Watch for brute force I won't explain it here.
To everyone an online crack site, convenient and fast.
http://www.objectif-securite.ch/ophcrack.php

tips: W indows2003-shift back door

Shift Backdoor Production

Sethc.exe is the sticky key for Windows, let's back it up.

Change Cmd.exe to Sethc.exe

Double-click the user login screen five times shift

Conclusion

Do not forget to Beginner's mind, Fang must always.

Article First chain: http://bbs.ichunqiu.com/thread-8826-1-1.html


Thank you for your reading, if you learn, please like (code word is not easy)!


Welcome to the Garden friends to add!

Zusheng

"Penetrating defense" in-depth understanding of windows

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.